b'                                            UNCLASSIFIED\n\n                        MEMORANDUM REPORT 01-IT-M-017\n                    DEPARTMENTWIDE WEB SITE MANAGEMENT\n                          NEEDS TO BE STRENGTHENED\n                                  March 2001\n\nIn response to requirements of Section 646 of the Treasury and General Government\nAppropriations Act, 2001, the Office of Inspector General conducted a review of Internet\nprivacy management at the Department of State. This report focuses on the Department\xe2\x80\x99s\npractices regarding the collection of personally identifiable information through the use\nof \xe2\x80\x9ccookies\xe2\x80\x9d1 and other means on its public web sites.\n\nSpecific objectives of our review were to (1) identify the Department\xe2\x80\x99s policies and\nprocedures for managing its Internet web sites in accordance with Federal guidance, (2)\ndetermine whether the Department\xe2\x80\x99s web sites use or have entered into third-party\nagreements concerning the use of cookies, and (3) determine whether all of the\nDepartment\xe2\x80\x99s major web entry points have privacy statements posted that adequately\nreflect what, if any, personal information is collected on the web sites and how that\ninformation is used. In addition, during the course of our review, we examined the\nDepartment\xe2\x80\x99s structure for managing web sites and ensuring Internet privacy\norganizationwide. We have included a discussion of these issues and related\nrecommendations in this report.\n\nRESULTS IN BRIEF\n\nThe Department of State has become increasingly reliant on the World Wide Web as a\nmeans to inform the public about its activities and services, both here and abroad.\nToward that end, the Department is instituting policies to ensure that its web sites are\nmanaged in accordance with Federal privacy guidelines prescribed by the Office of\nManagement and Budget (OMB).\n\nThe Department\xe2\x80\x99s policies restrict the use of persistent cookies on its public web sites\nwithout the Secretary\xe2\x80\x99s approval. Cookies are a typical means of collecting personal data\non Internet sites, often without the site visitors\xe2\x80\x99 awareness. Despite the restriction, we\nfound that 9 of the 206 web sites that we identified in the Department are using persistent\ncookies without proper authorization. Further, 116 of 206--well over half of the\nDepartment\xe2\x80\x99s sites that we reviewed--had no privacy statements and therefore no means\nof advising users of any information collected on the sites. We found no evidence that\nthe cookies were used to collect personally identifiable information.\n\n\n1\n A cookie is a small text file placed on a site visitor\xe2\x80\x99s computer hard drive by a web server. A cookie\nallows a server to recognize returning users, track online purchases, or maintain and serve customized web\npages. A cookie also facilitates the collection of personal information, such as extensive lists of previously\nvisited sites, e-mail addresses, or other information to identify or build profiles on individual site visitors.\n\x0cThese problems resulted in part from the Department\xe2\x80\x99s highly decentralized approach to\nweb site management, in which numerous organizations share responsibility for guiding\nor controlling various aspects of Internet management. The Department recognizes that it\nneeds to strengthen web site management across the organization and, as a first step, has\nestablished a permanent, senior-level Internet Steering Committee. We recommend that\nthe Department go even further, and establish an Internet Program Office within the\nOffice of the Under Secretary for Public Diplomacy and Public Affairs to support the\nInternet Steering Committee in overseeing and coordinating web sites on an agencywide\nbasis.\n\nBACKGROUND\n\nRapid innovations in technology in recent years offer increasing opportunities for the\nU.S. Government to improve the quality of information and service that it provides to its\ncitizens. The World Wide Web, also known as the Internet, has emerged as a powerful\ntool for communicating large amounts of information on Federal activities, policies, and\nprograms. At the same time, however, the Internet has made it possible for web sites to\ntrack and collect personally identifiable data2 from site visitors, making online privacy\none of the key and most contentious issues in this information management age.\n\nInternet cookies are a principal means by which web sites can collect personal\ninformation from site visitors, often without the visitors\xe2\x80\x99 knowledge or consent. There\nare two types of cookies\xe2\x80\x94\xe2\x80\x9csession cookies\xe2\x80\x9d and \xe2\x80\x9cpersistent cookies.\xe2\x80\x9d Session cookies\nare short-lived, used only during a single browsing session, expire when the user quits the\nbrowser, and consequently do not raise privacy concerns. Persistent cookies track\ninformation over time or across web sites. They remain stored on visitors\xe2\x80\x99 computers\nuntil a specified expiration date and can be used to collect information, such as a visitor\xe2\x80\x99s\nareas of interests and individual browsing habits. Persistent cookies may raise the\npublic\xe2\x80\x99s apprehension about what information is collected and how it could be used.\n\nThe full potential of the Internet to help improve Federal service cannot be realized until\nU.S. citizens are confident that their online privacy will be safeguarded. Recognizing\nthis, and building on principles established by the Privacy Act of 1974\n(5 USC 552a) and related legislation, the U.S. Government has recently taken steps to\nhelp ensure the privacy of visitors to Federal web sites. Specifically, over the past 2\nyears, OMB issued guidance that establishes the U.S. Government policy for the use of\ncookies on department and agency public web sites.3 Taken together, the OMB guidance\ndirects that Federal web sites, and contractors operating web sites on behalf of Federal\n\n2\n Personally identifiable data includes an individual\xe2\x80\x99s name, e-mail address, postal address, telephone\nnumber, Social Security number, or credit card number.\n3\n The OMB guidance includes (1) Memorandum M-99-18, Privacy Policies on Federal Web Sites, June 2,\n1999, (2) Memorandum 00-13, Privacy Policies and Data Collection on Federal Web Sites, June 22, 2000,\nand (3) a letter from the Administrator, OMB Office of Information and Regulatory Affairs, to the Chief\nInformation Office, Department of Commerce, September 5, 2000, clarifying the previously issued\nguidance.\n\n\n\n                                                                                                         2\n\x0cagencies, should not use persistent cookies on the web sites unless they provide clear and\nconspicuous notice of those activities and meet the following conditions: (1) a\ncompelling need to gather the data on the site, (2) appropriate and publicly disclosed\nprivacy safeguards for handling of information derived from cookies, and (3) personal\napproval by the head of the agency. The OMB guidance further exempts Federal use of\nsession cookies from these requirements.\n\nPURPOSE, SCOPE, AND METHODOLOGY\n\nSection 646 of the Treasury and General Government Appropriations Act, 2001, directs\nall Inspectors General to report on their respective agencies\xe2\x80\x99 practices to collect any\npersonally identifiable information from their public Internet sites. Such information\ncould be collected either on an agency\xe2\x80\x99s web sites or through third-party agreements. In\nresponse to the Act, the Office of Inspector General conducted a review with the specific\nobjectives of (1) identifying the Department\xe2\x80\x99s policies and procedures for managing its\nInternet web sites in accordance with Federal guidance, (2) determining whether the\nDepartment\xe2\x80\x99s web sites use or have entered into third-party agreements concerning the\nuse of cookies, and (3) determining whether all of the Department\xe2\x80\x99s major web entry\npoints have privacy statements posted that adequately reflect what, if any, personal\ninformation is collected on the web sites and how that information is used.\n\nTo fulfill our review objectives, we researched guidance used at the Department of State\nto govern Internet privacy in accordance with Federal laws and regulations. We met with\nofficials from organizations across the Department to learn how they manage their public\nInternet sites and whether they collect any personal information on the Internet via\ncookies, third-party agreements, or other electronic means. We also tested 22\nheadquarters and 184 overseas Internet sites that we identified within the Department to\ndetermine if cookies are used and whether privacy statements are posted to advise of such\npractices.4 Where necessary, we followed up with responsible officials to obtain\nexplanations of their web management practices and plans for corrective actions.\nThroughout our review, we also studied the Department\xe2\x80\x99s structure for coordinating\nmanagement of web sites organizationwide.\n\nAppendix A provides details on our methodology for testing the Department\xe2\x80\x99s Internet\nsites. As a part of this approach, we did not examine every page on a web site, but rather\nspent a limited time navigating through each site to look for cookie indicators. We also\nrelied on discussions with web management officials to learn about third-party\nagreements or other practices to collect information on public web sites. To validate our\ntreatment in the report of Internet management practices that the officials described, we\nobtained comments on a draft of the report from organizations that participated in our\nreview. We have incorporated their comments and suggested changes where appropriate.\n\nWe also obtained written comments on a draft of this report from both the Office of the\nUnder Secretary for Management and the Office of the Under Secretary for Public\n\n4\n    We did not include issues related to management of the Department\xe2\x80\x99s internal Intranet sites in our review.\n\n\n\n                                                                                                            3\n\x0cDiplomacy and Public Affairs. We have incorporated their comments and suggested\nchanges where appropriate and have included a copy of the comments at Appendix B.\n\nWe conducted our review from January to March 2001 at the Department of State in\nWashington, DC. Appendix C provides a list of the Department bureaus and offices that\nparticipated in our review. We performed our work in accordance with generally\naccepted government auditing standards. Major contributors to this report were Frank\nDeffer, Sondra McCauley, and John Shiffer. Comments or questions about the report can\nbe directed to Mr. Deffer at defferf@state.gov or at (703) 284-2715.\n\nAUDIT FINDINGS\n\nDEPARTMENTAL INTERNET GUIDANCE BEING ESTABLISHED\n\nIn keeping with OMB directives, the Department of State has ongoing efforts to establish\nguidance for managing its public Internet sites. Specifically, on June 20, 2000, a working\ngroup of representatives from across the organization issued a Department Notice,\nInterim Guidance on Public Web Site Hosting, to establish policies for Internet access\nand site hosting until the details on web systems requirements, content, security, incident\nhandling, and other issues could be finalized. A second notice, Policy for the Use of\n\xe2\x80\x9cCookie\xe2\x80\x9d on Department of State Web Sites, issued on September 27, 2000, as an\naddendum to the Interim Guidance, establishes the presumption that cookies should not\nbe used on the Department\xe2\x80\x99s web sites.\n\nThe working group followed up with development of Guidelines for Public Information\nDissemination on the Internet. The guidelines are designed to help ensure high quality\nand consistent standards for the content, organization, and presentation of information on\nthe Department\xe2\x80\x99s public web sites. The guidelines reiterate restrictions on Internet\ncookie use, directing that bureaus, offices, or missions consult with the Bureau of\nAdministration for advice on cookie usage and guidance on submitting requests for such\napproval to the head of the Department. The guidelines also discuss the requirement that\nweb sites display privacy and security notices informing users that cookies or other\nmeans to collect data from the public are employed on the sites. The guidelines were just\nrecently approved in February 2001 and are awaiting release throughout the Department.\nThe guidelines will ultimately be institutionalized as regulatory policy in the Department\nthrough incorporation into chapter 5, section 700, of the Foreign Affairs Manual, Internet\nand Intranet Use, which is currently undergoing review.\n\nDEPARTMENT WEB SITES DO NOT COLLECT PERSONALLY\nIDENTIFIABLE DATA\n\nThe Department of State does not use its Internet sites as a means to collect personally\nidentifiable information on site visitors without their awareness. Our current review,\nsimilar to prior assessments, identified instances in which persistent cookies were used on\nthe Department\xe2\x80\x99s web sites; however, none of the cookies were used to gather data on site\nvisitors. In all cases, web site managers have been informed, and corrective actions are\n\n\n\n                                                                                         4\n\x0ceither underway or completed. The Department has other processes to collect web\nstatistics, trend data, or log files for security purposes, but these processes also are not\nused to track individual users over time. Given recent legislation and ongoing\ndiscussions within the Department about potentially using the Internet to conduct\nelectronic business, consideration may have to be given in the future to possibly using\ncookies or other means to collect personal information on web site visitors.\n\nCookies Generally Not Used on Department Web Sites\n\nThe Department generally does not use cookies on its public web sites. We found that of\nthe 206 sites that we visited and tested, 16 used cookies. Of those 16, 7 were session\ncookies, which are permitted under OMB guidance. The remaining nine sites used\npersistent cookies, which are not allowed under Federal guidelines without the agency\nhead approval. At two of those sites, the web managers knew that the persistent cookies\nwere being used, but did not realize they needed authorization. For the remaining seven\nsituations, the web managers told us they did not know that persistent cookies were being\nused. Web managers are currently taking steps to remove or seek Secretary approval for\nthe nine persistent cookies that we discovered during our review. We found persistent\ncookies at the following sites:\n\n Domestic\n\xe2\x80\xa2 Foreign Buildings Operations, Art in Embassies Program (aiep.state.gov)\n\xe2\x80\xa2 Diplomatic Security, Overseas Security Advisory Council (www.ds-osac.org)\n\xe2\x80\xa2 Bureau of Educational and Cultural Affairs, International Visitors Program\n  (www.ivprograms.org)\n\n    Overseas Posts\n\xe2\x80\xa2    Namibia (www.usembassy.namib.com)\n\xe2\x80\xa2    Belize (www.usemb-belize.gov)\n\xe2\x80\xa2    Auckland (homepages.ihug.co.nz/~amcongen/ieindex.htm)\n\xe2\x80\xa2    Athens (www.usisathens.gr)\n\xe2\x80\xa2    Thessalonika (virtuals.compulink.gr/us-consulate)\n\xe2\x80\xa2    Vladivostok (vladivostok.com/usis)\n\nPersistent Cookies Not Used to Collect Personal Data\n\nIn all nine instances where we found persistent cookies, we found no evidence that they\nwere being used to collect personal data on site visitors. Specifically, on the three\ndomestic web sites that had cookies, the web managers used a web site development tool,\ncalled ColdFusion. This tool automatically uses persistent cookies, which provide a\nconvenient way to maintain user preferences (i.e., graphics display, screen color, etc.) as\na user navigates from one web page to another during a site visit. The user\xe2\x80\x99s preferences\nare automatically removed from memory when the user\xe2\x80\x99s session ends. Web managers\nfor these domestic sites stated that they were unaware that ColdFusion automatically uses\npersistent cookies. As of February 21, 2001, one office had removed the cookie from its\nweb site, and the second office had not yet begun corrective actions. The third\n\n\n                                                                                               5\n\x0corganization has tentative plans to seek the Secretary of State\xe2\x80\x99s approval to continue to\nuse the cookie. Officials told us that several other bureaus are also planning to use\nColdFusion for their web development and may not be aware that the application might\nautomatically place cookies on their web sites.\n\nWe notified officials from the Office of International Information Programs of instances\nwhere we found persistent cookies on overseas web sites. The Office, which has\nresponsibility for coordinating and advising overseas posts concerning their public web\nsites, contacted the webmasters to request explanations about the cookies and advise that\nthey must either remove the cookies from their web sites or seek agency head approval\nfor their use. Overseas web officials provided various reasons for using cookies.\nAlthough several of the cookies had been placed by third-party contractors, the cookies\nwere only used for such activities as analyzing web trends, counting visitors, and\nfacilitating user navigation through the sites. All posts that had persistent cookies have\nremoved them from their sites.\n\nPersistent Cookies Identified Prior to Office of Inspector General Review\n\nOver the past year, the Department has had to address a number of other instances where\npersistent cookies were found on its web sites. For example, in August 2000, the Office\nof International Information Programs identified two overseas posts that were using\ncookies placed by third-party organizations to monitor web site usage. The web\nmanagers at both locations have deleted the cookies from their sites.\n\nFurther, in September 2000, the U.S. General Accounting Office reported on cookies\nfound at two of the Department\xe2\x80\x99s web sites: www.usia.gov and travel.state.gov.5\nAccording to Department officials, the United States Information Agency web site has\nbeen shut down,6 and the cookie at the travel web site has been eliminated. More\nrecently, on January 26, 2001, the U.S. General Accounting Office notified the\nDepartment that it had found a third-party cookie on a Bureau of Human Resources\nrecruitment site (www.state.gov/www/careers) and that there was no privacy notice\nposted about cookie use. In its response, the Department stated that the cookie had been\ninserted into the home page of the careers site to assess the effectiveness of banner ads\nthat had been purchased on other web sites to promote recruitment. The Department\nstated that it was not aware that the cookie was being used and indicated that it has since\nbeen eliminated from the web site.\n\n\n\n\n5\nInternet Privacy: Comparison of Federal Agency Practices With FTC\xe2\x80\x99s Fair Information Principles, U.S.\nGeneral Accounting Office (GAO/AIMD-00-296R, September 11, 2000).\n6\n The United States Information Agency has been merged into the Department of State and is no longer a\nseparate agency.\n\n\n\n                                                                                                        6\n\x0cOther Methods for Handling Personally Identifiable Data on Department Web Sites\n\nThere are several other ways in which personal data may be handled on Department of\nState web sites, as permitted by Federal and Departmental Internet guidelines. For\nexample, for audit and security purposes, the Bureau of Diplomatic Security requires that\nthe Department\xe2\x80\x99s web sites generate log files of when their sites are visited. The log files\ndo not record information on individual web users. Rather, they include information such\nas Internet protocol addresses,7 time frames, and Internet service providers used to access\nweb sites. For example, when a visitor connects from America Online to a Department\nweb site, the web management system will generate information about the visitor\xe2\x80\x99s web\ndomain (aol.com) and the date and time of the visit. The logs are amassed in large files\nthat are stored and secured for a period of 6 months, after which time they are destroyed.\nIn case of computer security incidents, such as hacker intrusions or denials of service, the\nlogs are turned over to security officials for investigation. The Department also uses the\nlogs to determine web trends, create summary statistics on what information is of most\nand least interest, or identify systems performance or problem areas. Commercial\nsoftware programs are available to enable systems administrators to easily view and\nanalyze the logs. Officials told us that the Department began generating the logs about 2\nto 3 years ago when it began increasing the number of agency web sites.\n\nOther ways in which personal data might be handled on the Department\xe2\x80\x99s web sites\ninclude having individuals that live or travel abroad register electronically, providing\npersonally identifiable information to U.S. embassy and consulate web sites to facilitate\nemergency communications, security preparations, or evacuations. A visitor to a\nDepartment of State web site might also provide personal information in an e-mail\nmessage sent through the site. When this occurs, the Department uses any information\nthe visitor might provide only as a means of responding to the message. In both such\ninstances, individuals voluntarily provide the personal information to the Department; the\ninformation is not collected on the web site without the individuals\xe2\x80\x99 knowledge. We\nfound that no unauthorized ways of handling personal information were used\xe2\x80\x94either\ndirectly or through third-party agreements\xe2\x80\x94on the Department of State web sites that we\nreviewed.\n\nPotential Need for Persistent Cookies in the Future\n\nAlthough current guidance restricts cookie use, senior Department officials told us that it\nmight be necessary in the future to use cookies on Internet web sites in order to improve\nthe quality of service to the public. For example, Section 1704 of the Government\nPaperwork Elimination Act8 requires that by 2003, executive agencies provide options for\nthe electronic maintenance, submission, or disclosure of information, when practical, as a\nsubstitute for paper. To comply with the legislation, agencies may find it necessary to\nuse cookies on their web sites. Currently, Department of State web sites only provide\n7\n  An Internet protocol address is a series of numbers used to identify a computer on the Internet. When\ntransferring data from one computer to another, both the sending and receiving Internet protocol addresses\nare attached to the data packet to allow two-way communications.\n8\n    Government Paperwork Elimination Act, 44 USC 3504, October 1998.\n\n\n                                                                                                         7\n\x0cinformation on the Department and its services. However, in the future, the Department\nplans to offer a variety of online services, such as passport applications, that may require\nthe use of cookies. Further, if the Department allows users to customize their view of\nState web sites to display only specified information, cookies may be needed to\nremember the user preferences.\n\n    Recommendation 1: We recommend that, in accordance with established Federal\n    policy and Department of State guidelines, the Under Secretary for Public Diplomacy\n    and Public Affairs direct all of the Department\xe2\x80\x99s bureaus, offices, and overseas\n    missions to inspect their web sites to identify any persistent cookies and either\n    remove them or request the Secretary\xe2\x80\x99s approval for their continued use.\n\nPRIVACY STATEMENTS NOT CONSISTENTLY POSTED ON DEPARTMENT\nWEB SITES\n\nWe found that a number of Department of State organizations do not comply with\nFederal and agency requirements for posting up-to-date privacy notices on their Internet\nsites. The general practice is to provide a link on the initial home page that provides a\ncentral location for various disclaimers and legal notices to cover the web site as a whole.\nAdditional privacy notices are also needed wherever information is collected from the\npublic on the web site.\n\nHowever, as of early February 2001, 116 of 206--well over half of the Department\xe2\x80\x99s sites\nthat we reviewed--had no privacy statements and therefore no means of advising users of\nany information collected on the sites. Of the 90 sites that had privacy statements,\n\n\xe2\x80\xa2   48 sites had their own privacy statements,\n\xe2\x80\xa2   5 sites linked to the privacy statement at usinfo.state.gov, and\n\xe2\x80\xa2   37 sites linked to the generic statement on the Department\xe2\x80\x99s main Internet site at\n    www.state.gov.\n\nOf the 37 sites that linked to the main State Department site, only 3 referenced the current\nnotice. The other 34 referenced an outdated privacy statement, archived from a time\nwhen the main site was hosted at the University of Illinois at Chicago. The Department\xe2\x80\x99s\nmain site has been managed by UUNET, another Internet service provider, since January\n2001. Webmasters that we informed of the outdated privacy notices all agreed to update\ntheir site links.\n\nFurther, we found that the two sites that knowingly used persistent cookies did not post\nadequate privacy statements to advise site visitors of this practice. As discussed above,\nhowever, none of the persistent cookies identified were used to track or collect personal\ndata on individual site users.\n\n    Recommendation 2: We recommend that the Under Secretary for Public Diplomacy\n    and Public Affairs direct all Department of State organizations to examine their web\n    sites to ensure that complete and up-to-date privacy statements are posted to their web\n\n\n\n                                                                                               8\n\x0c   sites, or appropriately linked to privacy statements on the primary Department web\n   site, advising site visitors of any personally identifiable data that is collected, stored,\n   or used by the web site for any purpose.\n\nDECENTRALIZED MANAGEMENT STRUCTURE HINDERS\nDEPARTMENTWIDE OVERSIGHT OF WEB SITES\n\nThe Department\xe2\x80\x99s structure for managing its public web sites is highly decentralized in\nthat a number of different organizations share responsibility for guiding or controlling\nvarious aspects of Internet management. Domestic bureaus and posts also have\nconsiderable independence regarding how to manage and host their web sites. This\nfragmented management structure may have contributed to the uneven compliance with\nInternet cookie restrictions and privacy statement requirements that we found across the\nDepartment.\n\nFragmented Internet Guidance, Oversight, and Control\n\nThe Department has not established a single office with responsibility for all the different\naspects of web site management organizationwide. Rather, several organizations share\nthis responsibility, individually providing coordination, guidance, oversight, and/or\noperational support for the Department\xe2\x80\x99s various public web sites.\n\nTwo organizations within the Office of Public Diplomacy and Public Affairs share\nresponsibility for coordinating Internet web site management at headquarters and at\noverseas missions. Specifically, the Office of Electronic Information within the Bureau\nof Public Affairs clears information for public dissemination on the Internet and has basic\nresponsibility for coordinating Internet web sites for regional and functional bureaus at\nDepartment headquarters. This Office also operates and maintains the official primary\nweb access point for the Department at www.state.gov and provides content and design\nguidance to organizations that publish web pages. Similarly, the Office of International\nInformation Programs operates and maintains the international home page for the\nDepartment, located at usinfo.state.gov. The Office provides advice and assistance to\nseveral local sites, but is primarily responsible for helping overseas missions set up their\nown web sites. Embassies are encouraged to consult with the Office of International\nInformation Programs on site content and design. Neither the Office of Electronic\nInformation nor the Office of International Information Programs has the authority to\nenforce web site management policy, including ensuring compliance with Federal and\nState Department Internet privacy guidelines.\n\nA number of other organizations provide Internet guidance and support for web sites\nacross the entire Department. For example, the Bureau of Diplomatic Security provides\nadvice on web page development to ensure that Internet sites conform with security\nrequirements, including the use of log files discussed above. The Bureau of Information\nResource Management provides operational support for some web sites and incorporates\nInternet guidance into the Foreign Affairs Manual. Further, several organizations within\nthe Department, including the Office of the Legal Adviser and the Office of Records and\n\n\n\n                                                                                                 9\n\x0cPublishing Services within the Bureau of Administration, have responsibility for clearing\nprivacy notices and disclaimers.\n\nDomestic Organizations and Overseas Posts Have Web Hosting Flexibility\n\nAmid this fragmented organizational structure, the Department\xe2\x80\x99s bureaus and posts have\nconsiderable flexibility regarding how they individually manage their Internet web sites.\nThey have primary responsibility for complying with prescribed policies and ensuring\nprivacy on their Internet sites. Because there is no mandated standard, organizations can\nalso choose from among several web site hosting options.\n\nSpecifically, organizations can have the Department host their sites on www.state.gov,\nthe official primary web site run by Public Affairs. With few exceptions, these sites use a\nstandard \xe2\x80\x9cstate.gov\xe2\x80\x9d naming convention. The Office of Electronic Information uses a\nDocument Management System to centrally coordinate and monitor sites that use this\nnaming convention. The system also facilitates update of the state.gov sites without\nhaving to input individual code changes.\n\nOrganizations, primarily overseas missions, can also have their sites hosted under a\ncontract managed by the Office of International Information Programs, which sponsors\nthe central usinfo.state.gov home page. Like sites on the domestic www.state.gov home\npage, overseas sites hosted through the Office also generally use a standard naming\nconvention that begins with \xe2\x80\x9cusembassy.state.gov.\xe2\x80\x9d The Office of International\nInformation Programs periodically examines web sites on its home page, sends out policy\nreminders, and encourages regional monitoring of web sites overseas. Although the\nOffice has no direct Internet oversight or enforcement authority, the Office has makeshift\narrangements to monitor web sites for such things as cookies, install updates, or ensure\nthat no unauthorized or classified information is used on the sites. Sites under both the\ncentral www.state.gov and the usinfo.state.gov home pages are currently hosted and\nprovided with Internet connectivity by UUNET.\n\nFurther, organizations can host their sites at locations within the Department, independent\nof the two primary web sites. For example, some organizations have their sites hosted by\nthe Business Center within the Bureau of Information Resource Management on a fee-\nfor-service basis. Others host their web sites on their own internal web servers. Still\nother organizations have contracts for web hosting through local or overseas third-party\ncompanies. As discussed above, we found that at least one site hosted by a third-party\ncontractor used a persistent cookie. Organizations that host their sites independently,\neither internally or externally, use a range of Internet service providers. They also use\ndifferent domain names for their Internet addresses--i.e., .org, .mil, or .com--and not just\n.gov. The Department encourages organizations that independently host their web sites\nto inform and consult with the Office of Electronic Information and the Office of\nInternational Information Programs about their web sites.\n\nOfficials we interviewed expressed a variety of reasons for hosting their web sites\nindependent of the two primary Department of State sites. For example, some had\n\n\n\n                                                                                         10\n\x0cestablished their web sites before the two central home pages were in place. A few\npreferred to host their own sites internally for security reasons. Others believed that it is\nmore efficient to have contractors externally host their sites and retain responsibility for\nkeeping the hardware, software, and firewall security up-to date. Still others believed\nthat third-party hosting provides greater capability and public access than the\nDepartment\xe2\x80\x99s two primary web pages. In the case of the overseas sites, there are some\nlocations where local hosting is a necessity due to either a lack of adequate bandwidth or\nhost government restrictions on access to sites outside of a country\xe2\x80\x99s natural domain.\n\nA number of officials told us that, because of this fragmented Internet management\nstructure, it is difficult to ensure that all sites are kept up-to-date or in compliance with\nestablished Internet guidelines, such as restrictions on cookie use. Further, we found no\nsingle consolidated list of every public web site in existence throughout the Department.\nOnly by visiting offices and talking with officials across the Department were we able to\nidentify the 206 public sites that we discuss in this report. We consequently have no\nmeans of ensuring that we identified and included all of the Department\xe2\x80\x99s public web\nsites in our Internet privacy management review.\n\nSteps Taken to Improve Departmentwide Web Site Management\n\nThe Department of State\xe2\x80\x99s Internet Working Group is a first step to instituting\norganizationwide control of web site management. The working group began meeting in\nOctober 1999 to address public web security issues in the wake of an attack on one of the\nDepartment\xe2\x80\x99s overseas web sites. The working group is made up of about 30\nrepresentatives from various organizations in the Department, primarily the Bureaus of\nAdministration, Information Resource Management, Diplomatic Security, and Public\nAffairs, and the Office of International Information Programs. The group meets\nperiodically to discuss web-related issues, examine Internet use, and recommend policies\nto govern Internet management across the Department. It is this working group that\ndrafted a domain name paper for simplifying web access and developed the Guidelines\nfor Public Information Dissemination on the Internet. Because the working group has no\nauthority to issue policy, the guidelines were implemented under the auspices of the five\nprincipal organizations represented in the group.\n\nGiven the great number of web-related issues that need attention, the Internet Working\nGroup recently took steps to become formally chartered as a permanent senior-level\nInternet steering committee within the Department. A memorandum issued by the\nworking group recently transmitted a draft charter and requested approval for establishing\nthe committee from the five Assistant Secretaries of the previously mentioned\norganizations. The memorandum suggested that the committee serve as a forum for\ndiscussing the full range of Internet issues, including web site content and presentation,\nand standardizing site-naming conventions. The memo also proposed that the committee\nbe charged with recommending policies and priorities for the development, management,\nand operation of Internet web sites and related services Departmentwide. The Internet\nSteering Committee was chartered in February 2001. To maintain continuity, the chair of\nthe Internet Working Group volunteered to kick off the new committee and serve as chair\n\n\n\n                                                                                            11\n\x0cfor its first year. The committee chair, along with other officials we interviewed,\nsuggested that establishing a staff office with full-time responsibility for web policy\ndevelopment, coordination, and oversight on a daily basis would also be useful to support\nthe work of the permanent committee.\n\n       Recommendation 3: We recommend that the Under Secretary for Public\n       Diplomacy and Public Affairs establish a small Internet Program Office to\n       provide full-time, day-to-day support for the work of the Internet Steering\n       Committee in coordinating and addressing public web site management issues on\n       a Departmentwide basis. The Program Office should, at a minimum, be\n       comprised of officials from the five principal organizations represented on the\n       Internet Steering Committee. Program Office responsibilities should include, but\n       not be limited to:\n\n       \xe2\x80\xa2   coordinating with and supporting the activities of the Internet Steering\n           Committee to carry out its web site policy responsibilities;\n       \xe2\x80\xa2   developing and/or updating internal policies, guidelines, and standards\n           adopted by the committee to govern the Department\xe2\x80\x99s web sites in accordance\n           with Federal guidelines;\n       \xe2\x80\xa2   providing advice and assistance to the Department\xe2\x80\x99s bureaus, offices, and\n           missions regarding web site content and design;\n       \xe2\x80\xa2   maintaining a complete and up-to-date inventory of all of the Department\xe2\x80\x99s\n           domestic and overseas web sites and their site hosting arrangements;\n       \xe2\x80\xa2   monitoring the Department\xe2\x80\x99s web sites to ensure that they are kept up-to-date\n           and in compliance with established web management guidelines and\n           standards;\n       \xe2\x80\xa2   referring web sites found noncompliant with established guidelines and\n           standards to the attention of the Office of the Under Secretary for Public\n           Diplomacy and Public Affairs, along with recommendations for corrective\n           action; and\n       \xe2\x80\xa2   identifying and promoting the use of best practices in web site management\n           across the Department.\n\nDEPARTMENT COMMENTS AND OUR EVALUATION\n\nThe Office of the Under Secretary for Management and the Office of the Under Secretary\nfor Public Diplomacy and Public Affairs provided written comments on a draft of our\nreport. Copies of their comments are included in Appendix B. The Office of the Under\nSecretary for Public Diplomacy and Public Affairs generally agreed with our first two\nrecommendations about ensuring that Department of State organizations comply with\nweb site management requirements, such as restrictions on cookie use and requirements\non posting privacy statements. Specifically, this office stated that the Department should\ncontinue its interbureau collaborative approach through the Internet Steering Committee\nand proposed that the committee notify all bureaus and posts on how to fully comply with\nthese regulations. The office further stated plans to have International Information\nPrograms and Public Affairs--its organizations with primary responsibility for\n\n\n                                                                                       12\n\x0cDepartment public web site coordination--supply staff resources in the short term to\nmonitor and provide committee guidance to help ensure compliance with the immediate\nOMB requirements. We recognize recent preparations along these lines to disseminate\nthe Guidelines for Public Information Dissemination on the Internet to all diplomatic and\nconsular posts. We also support the office\xe2\x80\x99s ongoing commitment to providing much-\nneeded oversight to help ensure compliance with existing Federal web management\nguidance.\n\nHowever, the Office of the Under Secretary for Management and the Office of the Under\nSecretary for Public Diplomacy and Public Affairs expressed varying concerns with our\nthird recommendation about establishing an Internet Program Office. For example, the\nOffice of the Under Secretary for Public Diplomacy and Public Affairs recognized the\nneed for more systematic oversight of the Department\xe2\x80\x99s public Internet sites and\nacknowledged that this might require staffing, as our recommendation suggests.\nHowever, the office preferred to work out this matter and allocate resources jointly with\nthe Office of Management once the Internet Steering Committee is in place and its\nfunction better defined. We believe this to be a reasonable approach and acknowledge\nthat the offices involved must have flexibility to establish the Internet Program Office as\nthey deem appropriate. We also agree that the Internet Steering Committee is the correct\nforum for collaboratively finalizing such arrangements. However, to ensure\nDepartmentwide involvement, we reemphasize our recommendation that the Program\nOffice be comprised of officials from all principal organizations represented on the\nInternet Steering Committee\xe2\x80\x94not just the Office of the Under Secretary of Management\nand the Under Secretary of Public Diplomacy and Public Affairs. Given the inconsistent\ncompliance we found with Internet policy guidelines, we also encourage that steps be\ntaken as soon as possible to establish the Program Office and that this matter not be\nprolonged beyond the FY 2002 budget planning cycle--the time frame that the Office of\nthe Under Secretary for Public Diplomacy and Public Affairs suggested.\n\nIn contrast, the Office of the Under Secretary for Management disagreed with the need\nfor an Internet Program Office. This office stated that our proposal for establishing such\nan organization conflicts with current thought on reform and delayering of the\nDepartment\xe2\x80\x99s Management structure. In the office\xe2\x80\x99s view, creation of such a Program\nOffice constituted appointment of an \xe2\x80\x9cInternet Czar,\xe2\x80\x9d which would adversely affect the\nDepartment\xe2\x80\x99s use of the Internet. We disagree. Our report does not advocate\nestablishing a central, high-level office to police Departmentwide Internet management.\nRather, we recommend establishing a working level office to support the activities of the\nInternet Steering Committee, representing multiple organizations across the Department.\nOur recommendation is based upon our own observations, as well as comments by a\nnumber of officials that we interviewed, concerning the Department\xe2\x80\x99s need for a full-\ntime, operational body to provide day-to-day assistance for web site design and\nmaintenance, as well as monitoring and advice to help ensure compliance with\nestablished web guidelines.\n\nThe Office of the Under Secretary for Management was also concerned that we had\naddressed our report recommendations only to the Under Secretary for Public Diplomacy\n\n\n\n                                                                                         13\n\x0cand Public Affairs, countering that a number of organizations across the Department have\nresponsibility for various aspects of Internet management and policy guidance. The\noffice suggested that we address our recommendations to both Under Secretaries jointly.\nAgain, we disagree. We recognize the Department\xe2\x80\x99s decentralized structure for web\nmanagement and discuss this issue in detail in our report. Nonetheless, we believe that\nwe have appropriately directed our report because our recommendations involve posting\nof privacy notices and use of cookies, issues closely related to web content and design,\nwhich currently fall under the purview of the Office of the Under Secretary for Public\nDiplomacy and Public Affairs. Specifically, the Bureau of Public Affairs and the Office\nof International Information within the Office of the Under Secretary for Public\nDiplomacy and Public Affairs currently have responsibility for coordinating and\nproviding advice on web site management at headquarters and overseas posts. They also\nmonitor web site content--albeit at times in a makeshift, collateral manner, as discussed\nin our report. As such, the Office of the Under Secretary for Public Diplomacy and\nPublic Affairs is in the best position to lead the rest of the Department in ensuring much-\nneeded web oversight.\n\nFinally, the Office of the Under Secretary for Management stated that the scope of our\nreview went beyond the requirements of Section 646 of the Treasury and General\nGovernment Appropriations Act, 2001, in addressing issues concerning the Department\xe2\x80\x99s\ndecentralized management structure. We recognize that our report moves beyond the\nstatutory requirements and discuss this in the purpose, scope, and methodology section of\nour report. We believed it necessary to discuss the Internet privacy management\nproblems we found, and to determine why these problems occurred. As we assert in our\nreport, it is the Department\xe2\x80\x99s fragmented management structure that may have\ncontributed to unauthorized use of Internet cookies and inconsistent posting of privacy\nstatements on Department of State web sites.\n\n\n\n\n                                                                                         14\n\x0c                                                                                          APPENDIX A\n\n                              WEB SITE TEST METHODOLOGY\n\n\nWe reviewed the 22 domestic and 184 overseas Internet web sites that we identified\nwithin the Department from January 30 through February 27, 2001. Our review entailed\nnavigating through the web pages within each site--generally spending 3 to 10 minutes\nper site--to determine whether the site used cookies and posted a privacy statement\nadvising of this practice and any other automated activities to collect personal data. To\ndetermine cookie use on the web site, we first had to change the security settings on\nMicrosoft\xe2\x80\x99s Internet Explorer so that the browser would prompt us if web sites tried to\nplace cookies on our computer. For each web site visited, we printed a copy of the site\xe2\x80\x99s\nhome page, privacy statement, and any cookie notification9 that appeared. We also\nexamined the cookie notification to determine whether session or persistent cookies were\nused. Figure 1 below provides an example of a persistent cookie notification.\n\n                  Figure 1: Sample Persistent Cookie Notification\n\n\n\n\n                 Because this cookie does not expire\n                 until 2010, it is a persistent cookie.\n\n\n9\n  Such cookie notifications do not adequately fulfill OMB requirements to post clear, conspicuous privacy\nstatements at major web entry points to reflect what, if any, personal information is collected on web sites\nand how that information is used.\n\n\n                                                                                                           15\n\x0c16\n\x0c17\n\x0c18\n\x0c                                                            APPENDIX C\n\n          ORGANIZATIONS THAT PARTICIPATED IN OUR REVIEW\n\n\nBureau of Administration\n\nBureau of Consular Affairs\n\nBureau of Diplomatic Security\n\nBureau of Educational and Cultural Affairs\n\nBureau of Information Resource Management\n\nBureau of Intelligence and Research\n\nBureau of Nonproliferation\n\nBureau of Political-Military Affairs\n\nBureau of Public Affairs\n\nInternational Cooperative Administrative Support Services\n\nOffice of International Information Programs\n\nOffice of the Legal Adviser\n\nOffice of the Procurement Executive\n\n\n\n\n                                                                    19\n\x0c'